Beware of Ledger fraud: Current attacks & how to protect your crypto balance

/ banking and capital market law / Crypto, Crypto investors, Crypto platform, Ledger fraud, Recovery phrase

In recent months, there have been increasing reports of fraud schemes involving Ledger / Ledger Live WalletsCriminals use sophisticated techniques — from phishing and physical mail to malware on PCs or smartphones — to Recovery phrase (24 words) or private keys. For victims, the path back is often difficult—this is where we at Rogert & Ulbrich Law Firm come in: We help clients get their money back. In this article, we introduce you to the most common forms of fraud and offer tips on how you can protect yourself.

Current scams at Ledger & Ledger Live

  1. Phishing emails / fake update requests
  • Fake emails claiming to be from Ledger ask users to download a new version of Ledger Live or perform a “security update.”
  • These messages often contain a button such as “Verify Now” or “Secure My Account,” which leads to a fake website where the 24-word phrase is then requested.
  • Particularly dangerous: fake Ledger apps have been discovered on macOS that replace the real application and ask you to enter the phrase.
  1. Physical mail (Ledger Letter Scam)
  • Criminals send deceptively real letters to user addresses (some of which come from leaked data).
  • The letter often contains QR codes or links to fake websites asking you to validate your wallet or perform security updates.
  • Ledger itself confirms that they never Send letters with such requests.
  1. Telephone calls / social engineering via hotline
  • Victims receive calls claiming their Ledger account has been compromised. They are then asked to visit a website or enter their recovery phrase.
  • Some cases report that details (name, email address) from data leaks have been used to inspire trust.
  • Important: Ledger never calls users and will never ask for the recovery phrase.
  1. Fake Ledger software / manipulated apps / malware
  • Fraudsters offer a manipulated version of Ledger Live that appears legitimate but collects the seed phrase upon login.
  • Browser plugins or external apps that mimic Ledger functionality are also in circulation.
  • In some cases, malware is secretly installed on the computer and monitors actions in the background.
  • A technically sophisticated variant: a manipulated hardware device (e.g., purchased, opened, or hardware components swapped) is resold as a genuine device. Thus, the creation of a seed on such a device is already compromised.
  1. Address poisoning
  • A more recent scam involves an attacker sending a small amount of cryptocurrency or NFT to a user's address. This so-called "poisoned address" can result in the next transaction automatically transmitting manipulated data or redirecting the user to a phishing website.
  1. Clipboard manipulation (e.g. EthClipper attacks)
  • A classic technique in which malware monitors the clipboard in the background and replaces the address with a manipulative one when copying crypto addresses. The user only notices a slight inaccuracy – and then unknowingly sends the message to the attacker.
  1. Technical Support Scam / Fake Recovery Services
  • Scammers offer repair or support services for wallet issues on social media or through advertisements. Users are redirected to a "support channel" where they systematically manipulate them into disclosing their keys or confirming transactions.

Legal perspective & options for victims

  • File a criminal complaint: As soon as a loss occurs, a report should be filed with the police immediately, if possible with all evidence (email, letters, screenshots).
  • Blockchain analysis / trace detection: With the help of on-chain analysis, it is often possible to trace where the stolen coins went.
  • Civil law claims: In certain cases, it can be examined whether service providers, intermediaries or platforms can be held liable – for example, due to breaches of duty, incorrect security advice or culpable negligence.
  • Immediate measures in case of suspicion:
    1 – Involve experts (IT forensics, crypto law)
    2 – No more access to compromised wallet / seed
    3 – Generate a new wallet with a fresh seed (offline)
    4 – Transfer any funds, if still available, immediately
    5 – Revoke access rights (dApp permissions)

Protective measures & best practices

  • Buy Ledger devices only from the manufacturer or official resellers
  • Firmware / software only from official sources / directly from Ledger
  • Never enter the 24-word recovery phrase anywhere – only on the device itself
  • Distrust of emails, calls or mail with urgent requests
  • **Check domains carefully – look for minimal deviations (e.g. “legder”, “ledqer”) **
  • Regular device checks / authenticity checks according to Ledger instructions
  • Do not install third-party apps that imitate Ledger features
  • Monitor clipboard / Use anti-malware
  • Check permissions / smart contract authorizations and revoke them if necessary

You might also be interested in: